Upload
brodie-shrimplin
View
232
Download
2
Tags:
Embed Size (px)
Citation preview
2
Outline
Cryptology and Information Security Hash Functions and Information Security Introduction to Hash Function Application of Hash Function Dedicated Hash Functions Cryptanalysis on Hash Functions Colliding X.509 Certificates The Meaningful Collision Attack for Hash Functions The Second-Preimage Attack for Weak Message and MAC
3
Cryptology and Information Security
Information Security in Computer Network Confidentiality, Integrity, Availability, Validity, Non-repu
diation Cryptology is the key technique in Information Security Confidentiality : Encryption: Public Key or Symmetric Cip
hers Integrity : Hash Functions Validity, Non-repudiation : Digital signature and Authentic
ation (Based on hash function and hard mathematics problems such as factorization, discrete logarithm etc.
Availability :
4
Hash Function and Information Security
Hash Function is an important technique in Information Security.
Hash function is a fundamental tool in cryptology. 1 Integrity: to guarantee the data integrity in the message
transfer. 2 Legality and no disavowing: to guarantee the security of
digital signatures ( no forgery). 3 Used to design many cryptographic algorithms and
protocols. For example, digital signature , group signature, threshold signature, e-cash, e-vote, bit-commitment, many other
provable-security cryptosystems.
5
Introduction to Hash Function
Hash Function: a compress function Y=H(M) which hash any message with arbitrary length into a fixed length output:
H(M): M {0,1}*{0,1}l One-way property : Given any Y=H(M), it is infeasibl
e to get any substantial information of M. The ideal strength computations.
Second-Preimage Resistance: Given any message M1 ,it is difficult to find another message M2 such that : H(M1)=H(M2),
Free-Collision: It is difficult to find two different messages(M1, M2) with the same hash value:
H(M1)=H(M2) 。 Birthday attack:
l2
22l
l2
6
Application of Hash Function --Hash Function and Signature-1
H(M): hash function S(M): signature algorithm Signing process: Compute the fingerprint (or digest) of message: M H(M) Signing the fingerprint H(M): s=S(H(M)) If the fingerprint of M1 is the same as another different M2
H(M1)=H(M2)
Then M1 and M2 have the same signatures
S(H(M1))=S(H(M2))
H
7
Application of Hash Function --Hash Function and Signature-2
M1=(project application 1+apllication fund100,000$)
Bob has signed both messages M1 and M2 because of S(H(M1)) = S(H(M2))
M2=(project application 2+application fund1000,000$)
H(M1)=H(M2)
M1
S(H(M1))
100,000$ approved
HackerBob(Signer )
Hacker prepares two application versions for a project in advance
8
Application of Hash Function --Hash Function and Signature-3
(M2, S(H(M2))
Banks=S(H(M2)), No problem! Transfer 1000’000$Hacker
Hacker withdraws 1000,000$ with the forged signature
9
Application of Hash Function --Hash Function and Signature-4
M1=(project application 1+apllication fund 100,000$)M2=(project application 2+application fund 1000,000$)
Signature Forgery:
Attack 1 (Second pre-image attack):
Given M1, forge M2 such that H(M1)=H(M2)
Attack 2 (Collision attack):
Find M1 and M2 such that H(M1)=H(M2)
10
Application of Hash Function --Hash Function and Data Integrity
The time is 9 pm of Saturday.
The time is 9 pm of Sunday.
MessageM
Send the hash value H(M) of M by other way
ComputeH(M´) ,If H(M´)Y,believe M´isn’t the original Message
The time is 9 pm of Sunday.
Hacker
Modified M´
Alice Bob
11
Application of Hash Function --Advance for Provable Security
Shannon and perfect secure: Claude E. Shannon, Communication Theory of Secrecy Systems", 1949. Cryptographic art to cryptographic theory: Perfect secure cryptosystem One way function and public key cryptogarphy: W. Diffie, ME Hellman, New Direction in Cryptograph, 1976. Introduce public key cryptosystem and one way function Theory for psudorandom number gerneration: C. Yao, Theory and application of trapdoor functions, 1982 Psudorandom number gernerator: polynomial undistinguishable Advance for provable security: perfect security computational infeasible polynomial computational
infeasible (polynomial undistinguishable)zero-knowledge proofprovable security knowledge proof (based on hash function)
12
Application of Hash Function --Knowledge Proof Based on Hash Function
Before knowledge proof: Zero-Knowledge ProofKnowledge proof: hash function provides a random oracle: Prover P: Know a secret, for example: y=gx mod p, y: public; x: secretVerifier V: To verify Prover that P knows the secret x, but cannot
get the substantial information about x. H(M): One-way hash function c=H(y*g*t) (**) , t=gsyc
P: computes (c,s) satisfies the equation (**), send (c, s) to Verifier.
V: believe that P knows the secret x if the equation ** holds. c=H(y*g*t*m) (**) , t=gsyc: (c,s,m) is the signature of m.
13
Application of Hash Function --Knowledge Proof Based on Hash Function(Cont.)
Utilizing the knowledge proof based on hash function, many cryptographic algorithm and protocols are constructed:
Signature, group signature, threshold signature,
e-cash, bit commitment etc.
14
Dedicated Hash Functions Before 1990: Hash functions based on block ciphers Since 1990: Dedicated hash functions (constructed directly) Two kinds of dedicated hash functions MDx (Rivest) : MD4, MD5, HAVAL, RIPEMD, RIPEMD-160. SHAx (NIST) : SHA-0, SHA-1, SHA-256, 384, 512 Two widely used hash functions in the world: MD5, SHA-1 。
15
Cryptanalysis on Hash Functions ---Earlier Work on MDx
1 1993: Boer and Bosselaers found one message with two different sets of initial values.
2 1996: Dobbertin found a collision attack on MD4 with probability 2-22
(FSE’96).
3 1996: Dobbertin gave a psuodrandom collision example of MD5 which is two messages with another set of initial values (Eucrypt’96: Rump session).
4 2003: Rompay etc: collision attack with probability 2-29 (Asiacrypt’03).
16
Cryptanalysis on Hash Functions --- Wang etc Collision Attacks on MDx
In Crypto’04, Wang announced some collision examples on a series of hash functions.
1 MD5: Finding a collision with probability 2-37 (2004).
2 MD4: Finding a collision with probability 2-2-2-6.
3 RIPEME: Finding a collision with probability of 2-19.
4 HAVEL-128: Finding a collision with probability of 2-7.
17
Cryptanalysis on Hash Functions ---Earlier work on SHA-0
1997: Wang gave an algebraic method attack to find collision with probability 2-58 .
Circulated in China, wrote in Chinese. 1998: Chabaud and Joux found a collision attack
with probability: 2-61. 1998: Improved to about 2-45 by message modifi
cation
18
Cryptanalysis on Hash Functions --- Latest Work on SHA-0 and SHA-1
Joux: A four-block message collision was found by Joux in August which took about 80,000 hours of CPU time equivalent to the complexity 251 (Crypt’04 Rump session and Eurocrypt’05).
Biham and Chen: Found real collisions of SHA-1 up to 40 steps, and estimated that collisions of SHA-1 can be found up to 53-round reduced SHA-1 with complexity 248, where the reduction is to the last 53 rounds of SHA-1. (Crypt’04 Rump session and Eurocrypt’05).
Wang, Yin and Yu (Feb of 2005): Find a collision of SHA-1 with probability 2-69 (Crypto’05).
Wang, Yu and Yin (Feb of 2005 ): Find a collision of SHA-0 with probability 2-39 .
Latest improvement on SHA-1: Xiaoyun Wang , Andrew C. Yao, and Frances Yao, Find a collision of SHA-1 with probability 2-63
.
19
Colliding Valid X.509 Certificates
A. Lenstra, X.Y. Wang, B. Weger http://eprint.iacr.org/2005/067.pdf Constructing a pair of valid X.509 certificates in w
hich the “to be signed parts” is a collision for MD5.
Two certificates are different public keys for an owner.
The issuing Certificates Authority cannot prove the right key possession.
20
Meaningful Collisions for MD5 Stefan Lucks and Magnus Daum (Rump Session in Eurocrypt’05) http://th.informatik.unimannheim.de/people/lucks/HashCollisions/ http://www.cits.rub.de/MD5Collisions/
M1: A Recommendation Letter for Alice from the Boss Caesar
M2: A Order Letter for Alice’s privilege from the Boss Caesar
Two letters have the same hash value because of PS editorial softwareH(M1)=H(M2)
Questions: How many cryptographic applications suffer from the potential attack caused by hash function collisions.
21
The Second-Preimage Attack of Weak Messages
Wang, Lai etc results in Eurocrypt’05:
Any message is a weak message of MD4 with probability 2-122, and for a weak message it only need one-MD4 computation to find its second-preimage.
Any message M can be modified with the basic message modification techniques. The resulting message M0 is a weak m
essage with probability 2-23. M and M0 are close and the Hamming weight of the difference for two messages is 50 on average.
Under the advanced message modification, any message M can be modified into M0 which is a weak message with probability 2-2 to 2-6. However, the Hamming weight of the their difference grows quickly up to 110.
22
The Second-Preimage Attack of Weak Messages
Yu and Wang etc ( Recent work):
Any message is a weak message with probability 2-56 by a new collision differential path (See Table 1 and Table 2) .
By message modifications techniques, any message can be converted into a weak message with 227 MD4 computations, the Hamming weight for their difference is 44
23
Constructing MAC based-MD4
Three basic proposals to construct a MAC based-MD4
Secret prefix: MAC(M)=MD4(K1||M)
Secret suffix: MAC(M)=MD4(M||K2)
Envelope: MAC(M)=MD4(K1||M||K2)
24
Key Recovery from Hash Function Collisions--- Existing Attack for Key Recovery of Envelope Method
Bart Preneel and Paul C.van Oorschat :
It needs 2n/2 known text-MAC pairs and 2k1 offline compression function operations to recovery the key K1,, and 2k2 computations (exhaustive search) for recovery of K2.
Choosing K1 K2 does not offer additional security property. So they suggested
K1=K2.
25
Key Recovery from Hash Functions Collisions--- Effective Key Recovery of Envelope MAC Based on MD4
Wang and Yu (recent work):
Suppose K1=K2=K
Case 1 K is 128-bit.
Case 2 If K is a complete block, we deduce the 128-bit secret IV instead of finding K.
So we suppose K has 128-bit length.
26
Key Recovery from Hash Functions Collisions-- Effective key recovery of envelope MAC based on MD4 (Cont.))
Determine one bit condition b1,26= c1,26 in Table 2 with one computations and 262 MACs of random 384-bit messages M and their corresponding chosen 384-bit messages’ MAC(M’) , where difference is:
(K||M)-(K|| M’)=(0, 0, 0, 0, 222, 0,……, 0) (See Table 1)
Determine other conditions b1,i+4= c1,i+4 by one computation and the same number of MAC pairs with the similar collision differential path determined by the difference:
(K||M)-(K|| M’)=(0, 0, 0, 0, 2i, 0,……, 0) (i22).
Totally determine 32 conditions b1,i+4= c1,i+4 by 268 MAC pairs and 32 computations.
28
Key Recovery from Hash Functions Collisions-- Effective key recovery of envelope MAC based on MD4 (Cont.)
It is possible to determine more bit conditions of a1, d1 , c1 and b1 by other collision differential paths.
Provided that we have found s (s32) conditions for a1, d1 , c1 and b1 , we search for other 128-s bits, and then compute 128-bit K.
29
Key Recovery from Hash Functions Collisions -- Effective key recovery of envelope MAC based on MD4 (Cont.)
Conclusion: Determine the secret key K with about 296
computations and 268 MAC pairs with 32 collision differential paths determined by the difference:
(K||M)-(K|| M’)=(0, 0, 0, 0, 2i, 0,……, 0) The above result can be improved to determine the
secret key K with about 296-r computations with
more collision differential paths and more MAC pairs.